82 lines
5.1 KiB
Markdown
82 lines
5.1 KiB
Markdown
# GitHub Target Repo-by-repo Approval Package
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-05-12 |
|
||
| 狀態 | 草案,等待人工批准 |
|
||
| 上游決策 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` |
|
||
| JSON snapshot | `docs/security/github-target-repo-approval-package.snapshot.json` |
|
||
| Schema | `docs/schemas/github_target_repo_approval_package_v1.schema.json` |
|
||
| Owner response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` |
|
||
| 低摩擦 policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
|
||
| 原則 | 低摩擦、逐 repo 決策,不自動建 repo、不改 visibility、不同步 refs、不切 primary |
|
||
|
||
## 0. 核心結論
|
||
|
||
7 個 approval-required GitHub targets 已拆成三條批准路徑:
|
||
|
||
1. Refs reconcile:`awoooi`、`clawbot-v5`、`wooo-aiops`。
|
||
2. GitHub target 建立 / 授權:`ewoooc`、`bitan-pharmacy`、`tsenyang-website`。
|
||
3. Internal remote 用途確認:`wooo-infra-config`。
|
||
|
||
這份 package 只讓 AwoooP / 統帥看到每個 repo 的批准條件與禁止動作,不代表已批准 push、mirror、repo creation、visibility 修改或 GitHub primary。
|
||
|
||
S4.10 已補 1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 7 個 owner decision response templates。owner response 通過後只允許更新 read-only decision table、approval package、approval board 與 primary readiness gate;它不等於 repo creation、visibility change、refs sync 或 primary approval。
|
||
|
||
## 0.1 低摩擦分階段原則
|
||
|
||
初期資安網的目標是先建立框架與 evidence,不是把整個產品、架構、流程一次拉到最高限制。為避免造成開發、部署與營運流程過度複雜,本 package 採用以下原則:
|
||
|
||
1. Read-only inventory、文件化、evidence mirror 預設允許繼續推進。
|
||
2. 一般 repo 分類、owner 註記、風險標籤先用 `observe` / `warn`,不直接阻擋流程。
|
||
3. 只有會建立 repo、修改 visibility、同步 refs、搬 secret、刪除 / 封存 repo、切 primary 的動作才需要 approval。
|
||
4. Approval package 只做「下一步是否可執行」的邊界,不把每個低風險調查動作都變成審批。
|
||
5. 每階段只收斂一小段控制面,避免一次導入過多工具、規則與流程。
|
||
|
||
## 1. Repo-by-repo 決策表
|
||
|
||
| GitHub target | Action | Risk | Required reviewers | Blocked until |
|
||
|---------------|--------|------|--------------------|---------------|
|
||
| `owenhytsai/awoooi` | refs reconcile plan | HIGH | migration-engineer、security-commander、human-owner | server-side inventory、refs/workflows/webhooks/secrets 名稱、primary ADR |
|
||
| `owenhytsai/clawbot-v5` | refs reconcile plan | MEDIUM | migration-engineer、human-owner | main SHA / tag 處理方式確認 |
|
||
| `owenhytsai/wooo-aiops` | refs reconcile plan | MEDIUM | migration-engineer、human-owner | main SHA、GitHub-only branch/tags 來源釐清 |
|
||
| `owenhytsai/wooo-infra-config` | confirm internal remote purpose | MEDIUM | migration-engineer、security-commander、human-owner | 110 remote 用途、infra secret 名稱 inventory |
|
||
| `owenhytsai/ewoooc` | create or grant access after canonical approval | HIGH | migration-engineer、security-commander、human-owner | momo/ewoooc canonical、server-side refs diff、owner / visibility |
|
||
| `owenhytsai/bitan-pharmacy` | create or grant access after canonical approval | MEDIUM | migration-engineer、human-owner | active 狀態、owner / visibility |
|
||
| `owenhytsai/tsenyang-website` | create or grant access after canonical approval | MEDIUM | migration-engineer、human-owner | active 狀態、owner / visibility |
|
||
|
||
## 2. 批准後只允許的事
|
||
|
||
| Action | 批准後允許 |
|
||
|--------|------------|
|
||
| refs reconcile plan | 產生 reconcile plan、draft migration PR 或 ADR、更新 matrix evidence |
|
||
| create or grant access after canonical approval | 決定建立 GitHub repo 或授權既有 private repo、產生 migration plan |
|
||
| confirm internal remote purpose | 標記 remote 為 mirror / legacy / active source,更新 canonical decision table |
|
||
|
||
## 3. 即使批准仍禁止的事
|
||
|
||
1. 直接 push refs。
|
||
2. 直接同步 mirror。
|
||
3. 直接切 GitHub primary。
|
||
4. 直接停用、刪除或封存 Gitea repo。
|
||
5. 自動合併 unrelated histories。
|
||
6. 搬移 secret value。
|
||
7. 修改 GitHub visibility 而沒有明確 repo owner 批准。
|
||
|
||
## 4. AwoooP 消費方式
|
||
|
||
AwoooP 可以 mirror `github_target_repo_approval_package_v1` 作為 approval queue 的分組 evidence,但只能:
|
||
|
||
1. 顯示 repo、risk、required reviewers、blocked_until。
|
||
2. 建立 approval candidate。
|
||
3. 回傳 read-only policy 建議。
|
||
|
||
AwoooP 不得直接執行 GitHub repo creation、visibility change、refs sync 或 primary switch。
|
||
|
||
## 5. 下一步
|
||
|
||
1. 等待 Gitea full inventory approval 完成,補 private/internal repo list。
|
||
2. 依 S4.10 逐 repo 取得 owner / visibility / canonical response,並先通過 acceptance / rejection rules。
|
||
3. 對 refs blocked repos 產生 reconcile plan。
|
||
4. 對 `ewoooc` 先完成 canonical 判定,再決定 target 建立或授權。
|